Field of the Invention
Embodiments of the present invention relate generally to intrusion detection systems and, more specifically, to techniques for detecting attacks in a publish-subscribe network.
Description of the Related Art
In a conventional publish-subscribe network, a group of publishers generate content that is communicated to a group of subscribers via a communication protocol. According to this protocol, publishers may publish content to specific topics, and subscribers may subscribe to certain topics. Particular subscribers receive content associated with the topics to which those subscribers have subscribed.
A convectional publish-subscribe network typically includes a network infrastructure that is designed to support the above communication protocol. Normally, this underlying network infrastructure is designed to be sufficiently robust to properly support a large number of publishers and a large number of subscribers, provided those publishers and subscribers operate in an expected manner. For example, the network infrastructure may be designed to support a given number of publishers provided each of those publishers does not publish more than a certain amount of content during a given time frame.
One problem with conventional network infrastructures is that these infrastructures are not typically designed to support communications between publishers and subscribers when publishers and/or subscribers operate in an unexpected and potentially malicious manner. Consequently, malicious behavior exercised by a particular publisher or subscriber can cripple the network infrastructure. For example, a malicious publisher could intentionally publish an extraordinarily large quantity of content within a very short timeframe and overwhelm the ability of the network infrastructure to properly communicate that content to the relevant subscribers. Generally, malicious publishers or subscribers can levy a wide variety of attacks on a given network infrastructure in order to overwhelm and cripple the network infrastructure. These types of attacks are collectively known as “denial of service” (DoS) attacks.
With increasingly large and complicated network infrastructures, publish-subscribe networks are increasingly at risk of DoS attacks. Further, due to the complexity of these networks, there are few, if any, effective solutions to detecting when DoS attacks are starting or are already in progress. Therefore, preventing imminent attacks or mitigating existing attacks on conventional network infrastructures is quite difficult.
As the foregoing illustrates, what is needed in the art are more effective approaches to detecting DoS attacks on network infrastructures.